Solved another dllhost spawning problem

[analog]

In September, TwinHeadedEagle helped member Gene F. solve his dllhost spawing problem. I have an issue that appears to be the same persistent problem and possible infection of my system. I initially tried to start a private conversation with TwinHeadedEagle before I noticed his instruction to post issues in the forum rather than contacting him directly. Sorry about that.

My computer is a Dell Latitude E5420 running the 64-bit version of Windows 7 Home Premium with Service Pack 1 installed. I use Norton 360 as primary security and also run SpyBot, Malwarebytes and CCleaner from time to time. The system has been stable and running clear for over a year up until last Friday or so when it started to bog down and well established websites began regularly to go unresponsive. The specific symptoms:

Processor and memory usage at very high levels.
Numerous and respawning dllhost.exe *32 Com Surrogate processes running.
Norton Blocked messages:
System Infected: Trojan.Powelik Activity
Web Attack: Exploit Toolkit Website 33
Trojan.Adclicker Activity
Other error messages:
Norton High Memory Usage by COM Surrogate
Windows message Powershell has stopped working.
In addition, Inrernet Explorer security settings keep switching back to prevent downloads.

I ran a Norton 360 full system scan and nothing was detected.

I ran the Norton 360 registry clean up and some minor issues were resolved.

The problem persisted so I ran SpyBot free edition. It detected and removed some tracking cookies.

The problem persisted so I ran CCleaner. It did not detect any malware or the like, but it did cleanup files and it resolved additional minor registry issues.

The problem persisted so I ran Malwarebytes Anti-Malware free edition. It found a few items and quarantined the problems.

The problem persisted so I ran Norton PowerEraser. I cannot recall if any problems were detected, but it successfully ran to completion.

Norton support tried removing backing out a Windows update that they believed was the problem but the problem reappeared after about an hour.

I used the Norton firewall to prevent dllhost.exe from accessing the Internet, and that seems to have isolated but not fixed the underlying problem.

It appears that I have some deep infection or other problem that the usual tools cannot remove or resolve.

I have run the Farbar Recovery Scan Tool and the frst and addition txt files are attached.

Thanks very much in advance for your assistance with this matter.

Regards,
Analog

 

[TwinHeadedEagle]

Hello,



They call me TwinHeadedEagle around here, and I'll be working with you.



Before we start please read and note the following:

• At the top of your post, please click on the "Watch thread" button and make sure to check Watch this thread...and receive email notifications. This will send an email to you as soon as I reply to your topic, allowing me to solve your problem faster.
• Please do not install any new software during the cleaning process other than the tools I provide for you. This can hinder the cleaning process. Please do not perform System Restore or any other restore.
• Instructions I give to you are very simple and made for complete beginner to follow. That's why you need to read through my instructions carefully and completely before executing them.
• Please do not run any tools other than the ones I ask you to, when I ask you to. Some of these tools can be very dangerous if used improperly. Also, if you use a tool that I have not requested you use, it can cause false positives, thereby delaying the complete cleaning of your machine.
  
• All tools we use here are completely clean and do not contain any malware. If your antivirus detects them as malicious, please disable your antivirus and then continue.
• If during the process you run across anything that is not in my instructions, please stop and ask. If any tool is running too much time (few hours), please stop and inform me.
• I visit forum several times at day, making sure to respond to everyone's topic as fast as possible. But bear in mind that I have private life like everyone and I cannot be here 24/7. So please be patient with me. Also, some infections require less, and some more time to be removed completely, so bear this in mind and be patient.
• Please stay with me until the end of all steps and procedures and I declare your system clean. Just because there is a lack of symptoms does not indicate a clean machine. If you solved your problem yourself, set aside two minutes to let me know.
  
• Please attach all report using
  
  button below. Doing this, you make it easier for me to analyze and fix your problem.
  
• Do not ask for help for your business PC. Companies are making revenue via computers, so it is good thing to pay someone to repair it.
• If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed.

Scan with TDSSKiller

Please download TDSSKiller by Kaspersky and save it to your desktop.

• Right-click on
  
  icon and select
  
  Run as Administrator to start the tool.
• Click on Change parameters and put a checkmark beside Loaded modules. A reboot will be needed to apply the changes, allow it to do so.
• Your machine may appear very slow and unusable after that - it's normal.
• TDSSKiller will run automaticaly. Click on Change parameters and click OK.
• Click the Start Scan button and wait patiently.

If anything will be found follow this guidelines:

• If a suspicious object is detected, the default action will be Skip, click on Continue.
• If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  If Cure is not available, please choose Skip instead.
• Do not choose Delete unless instructed!

A report will be created in your root directory, (usually C:\ drive) in the form of TDSSKiller.[Version]_[Date]_[Time]_log.txt. Please include the contents of that file in your next post.

Scan with ComboFix

This is a very powerful tool that should be used only if advised by Malware Analyst.
Do not run ComboFix on your own!

Referring to this instruction, please download ComboFix by sUBs and save it to your desktop.
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

• Right-click on
  
  icon and select
  
  Run as Administrator to start the tool.
• Accept the disclaimer and agree if prompted to install Recovery Console.
• Do not take any actions while ComboFix goes through your System - it may cause it to stall!
• This scan may take some time!
• When finished - it will display a logfile (located also on your main drive, usually C:\ComboFix.txt).

Include that log in your next reply.

If you'll encounter any issues with internet connection after running ComboFix, please visit this link.

If an error about operation on the key marked for deletion will appear after running the tool, please reboot your machine.

 

[analog]

Thanks very much for your post and for your assistance.

I ran the TDSSKiller. It found no threats and there was no action for me to take as it went through its process. The log file is attached.

I ran the ComboFix. It appears that it found a system file infected and automtically restored c:\windows\system32\services.exe. At one point it reported that powelik [sp?] infection was dealt with. The log file is attached.

Should I delete the firewall setting I added to block dllhost.exe from communicating outbound and inbound?

Thanks very much.

Best regards,

John

 

[TwinHeadedEagle]

Yes, please do so and tell me how is your PC now?

 

[analog]

All seems well. My initial testing after finishing the scans late last night revealed no problems. This morning I turned off the firewall block on dllhost.exe, kept the task manager process window open and did a bunch of different things on the computer, from Outlook to word processing to accessing Internet sites. Not even one dllhost process appeared. The computer ran fine and did not bog down. CPU and memory usage seemed low and normal for the use. So, from a user perspective, all seems well.

Did the logs show the infection you suspected as dealt with?

Thanks very much for your assistance. Your professionalism, style and skill are much appreciated.

But I have one question. Before you attack a nasty infection, do you turn your head and spit? Your profile pick and persona are perfect for what you do.

I will be making another donation to your beer fund from my jdmitchjr e-mail address.

Best regards,

John

 

[TwinHeadedEagle]

Did the logs show the infection you suspected as dealt with?

Yes, exactly what I suspected.

But I have one question. Before you attack a nasty infection, do you turn your head and spit? Your profile pick and persona are perfect for what you do.

I do this

Glad I could help. We will delete all used tools and I'll give you some tips to harden your security and learn how to protect yourself

Recommended reading:
​

MUST READ - security tips:

• Computer Security - a short guide to staying safer online.
• Simple and easy ways to keep your computer safe and secure on the Internet

MUST READ - general maintenance:

• What to do if your Computer is running slowly?

The Importance of Software Updating:
​

In order to stay protected it is very important that you regularly update all of your software. Cybercriminals depend on the apathy of users around software updates to keep their malicious endeavor running.​

Operating systems, such as Windows, and applications, such as Adobe Reader or JAVA, are used by tens of millions of computers and devices around the world, making them a huge target for cybercriminals. Downloading updates and installing them can sometimes be tedious, but the advantages you get from the updates are certainly worth it.

• How to configure and use Automatic Updates in Windows
• How to update Java
• How to update Adobe Reader

Recommended additional software:
​

TFC - to clean unneeded temporary files.

Malwarebytes' Anti-Malware - to scan your system from time to time in search for malware.

Malwarebytes' Anti-Exploit - to prevent plenty of mostly exploited vulnerabilities.

McShield - to prevent infections spread by removable media.

Unchecky - to prevent from installing additional foistware, implemented in legitimate installations.

FiheHippo.com Update Checker - to keep your programs up-to-date.

Adblock - to surf the web without annoying ads!

Post-cleanup procedures:​

Download DelFix by Xplode and save it to your desktop.

• Run the tool by right click on the
  
  icon and Run as administrator option.
• Make sure that these ones are checked:
  • Remove disinfection tools
  • Purge system restore
  • Reset system settings
• Push Run and wait until the tool completes his work.
• All tools we used should be gone. Tool will create an report for you (C:\DelFix.txt)

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.

My help is free for everybody.
If you're happy with the help provided and/or wish to buy me a beer for the assistance you received, then you can consider a donation:
Thank you!​

Stay safe,
TwinHeadedEagle

 

[analog]

All cleaned up post fix.

Thanks again for your assistance.

Enjoy the beers!

Best regards,

John